Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | stephen-best |
View: | 24 times |
Download: | 5 times |
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
HEBCA: Higher Education Bridge Certificate Authority
Michael R Gettes
Georgetown University
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Technical Policy
PKI is1/3 Technical
and 2/3 Policy?
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
allow for “one-
way policy”
• Directories are
critical in BCA
world.
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
A Snapshot of the U.S. Federal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
EMA Challenge Architecture
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
What is Cross Certification?
• A Bridge signs a site PKI and vice-versa
• Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line.
• Policy OIDs and Name Constraint controls are in the cross certificates
• Policy OIDs could map to XML documents describing the policy (processed per Carmody)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Path Validation
• Application receives a Certificate
• Finds a path back to signer of Certificate validating the path for policy mappings and name constraints.
• Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever
• Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
On Policy
• We have a draft HEBCA Certificate Policy
• The HE CP and HEBCA CP are congruent
• The HEBCA CP and FBCA CP are congruent
• We need a HEPKI PA – EDUCAUSE is working
this problem – granted “power” from ACE
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
NIH- Educause PKI Pilot:NIH- Educause PKI Pilot:Phase Two Phase Two
Electronic Grant Application With Electronic Grant Application With
Multiple Digital SignaturesMultiple Digital Signatures
Peter Alterman, Ph.D.Peter Alterman, Ph.D.Director of OperationsDirector of OperationsOffice of Extramural ResearchOffice of Extramural Research
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
The GoalsThe Goals1.1. Receive NIH research grant application in Receive NIH research grant application in
electronic form signed with two different electronic form signed with two different digital certificates each; digital certificates digital certificates each; digital certificates issued by Institution, several different issued by Institution, several different vendors represented;vendors represented;
2.2. Verify and validate digital signatures through Verify and validate digital signatures through ACES Certificate Arbitration Module (CAM).ACES Certificate Arbitration Module (CAM).
3.3. (EDUCAUSE Funding and Administrative (EDUCAUSE Funding and Administrative Support, Coordination and Marketing.)Support, Coordination and Marketing.)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Intermediate RequirementsIntermediate Requirements
1.1. Stand up a Higher Education Bridge Stand up a Higher Education Bridge
Certification Authority (HEBCA);Certification Authority (HEBCA);
2.2. Cross-certify the Federal Bridge CA with the Cross-certify the Federal Bridge CA with the
Higher Education Bridge CA;Higher Education Bridge CA;
3.3. Cross-certify Institutions with HEBCA;Cross-certify Institutions with HEBCA;
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Participating InstitutionsParticipating Institutions
• University of Alabama-BirminghamUniversity of Alabama-Birmingham
• University of Wisconsin-MadisonUniversity of Wisconsin-Madison
• University of California, Office of the University of California, Office of the PresidentPresident
• University of Texas – HoustonUniversity of Texas – Houston
• Dartmouth CollegeDartmouth College
• (Georgetown University – HEBCA issues)(Georgetown University – HEBCA issues)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
The ProblemThe Problem
• Picture/s of piles of grant applications
– About 20,000 6 ft high standing people of paper.
• 1 forest per year just grant apps.
• The Solution: signed, electronic grant application
– Of course!
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Phase Two Concept of Operations (CONOPS)Phase Two Concept of Operations (CONOPS)
NIH OER Mail ServerUniversity A
University B
University C
Internet
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeDigital Signed
Grant Appl
NIH OER Recipient
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeCAM-enabled
NIH CAM Server
FBCA
HEBCA
CertStatus
CertStatus
Certificate ValidationUniversity B
Certificate ValidationUniversity A
Certificate ValidationUniversity C
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
HEBCA Proof of Concept ArchitectureHEBCA Proof of Concept Architecture
NIH User
NIH Trust Domain
NIH TestCA
Directory
Higher Education Trust Domain
iPlanet CA
Alabama
RSA CA
i500Directory
DirectoryDST ARP Test CA
California
Verisign CA
Wisconsin
Firewall
Prototype Federal Bridge Certificate Authority
Cross CertifiedCAs
Directory System Agent
• Cross certificates• CRL
FIP 140-1 L3 Crypto
FIP 140-1 L3 Crypto
• Cross certificates• CRL
• Cross certificates• ARL
RSA CA Entrust CA
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
HEBCA Proof of Concept CA HEBCA Proof of Concept CA Interoperability ConfigurationInteroperability Configuration
Entrust CA RSA CA
Prototype Federal Bridge Certification Authority
NIH
NIH Test CA
Client California
Verisign CA
Client
Alabama
DST ARP Test CA
Client
Wisconsin
iPlanet CA
Client
Higher Education Bridge Certification Authority
RSA CA
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
HEBCA Proof of Concept Directory HEBCA Proof of Concept Directory Interoperability ConfigurationInteroperability Configuration
c=US; o=U.S. Government;ou=FBCAIP address: 198.76.35.155DSP port: 102LDAP port: 389TSEL: TCP/IP
Prototype FBCA(Peerlogic)
cn=FBCA_Directory
NIH
c=US; o=U.S. Government; ou=NIH IP address: 207.123.140.5DSP port: 102LDAP port: 389TSEL: TCP/IP
cn=nihstandin
Chaining
c=US; o=edu; ou=HEBCAIP address: 207.123.140.5 DSP port: 102LDAP port: 389TSEL: TCP/IP
HEBCA(Critical
Path)
cn=HEBCA
Alabama
c=US; o=Digital Signature Trust Co; ou=ARP Testing IP address: 208.30.65.30DAP/DSP port: 102LDAP port:389
cn=ARP Test Client CA
California
c= ; o= ; ou= IP address:DAP/DSP port:LDAP port:
cn=
Wisconsin
c= ; o= ; ou= IP address:DAP/DSP port:LDAP port:
cn=
Chaining
Chaining
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
NIHca
trustanchor
““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)
sender(UA)
receiver(NIH)
NIHdirectory
FBCA
FBCAdir
crosscert
crosscert
DAVECAM
E-Lock
software
ca
directory
HEBCA HEBCAdir
crosscert
UAca
UAdir
issued
get Cert,CRLvia directory chaining
New LDAPRegistry of
Directories for BCAs
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
DAVE ComponentsDAVE ComponentsCML Libraries [Getronics]
• ASN1 parsing (SNACC)
• S/MIME parsing (SFL)
• Cryptographic engine
• LDAP and local directory retrieval
(SFL)
• Path discovery engine (CPL)
DAVE Functions
• Perform proper sequential
calling of CML functions (i.e.,
the business logic)
• Provide call-back functions
needed by CML functions
• Provide all CAM
communications and protocol
transformations
• Wraps CML functions into an
NT service (multithreaded,
failure and recovery modes,
logging, etc.)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Verification & Validation DetailsVerification & Validation Details
CAM Server Certificate Authority/Validation Request
CAM/CA
OCSP
MsgData
Discovery andValidation
Engine(DAVE)
Agency App/CAM
Search for issuer to validate• CRL• OSCP Responder
If chained, path reversesIf not chained, LDAP queries
Agency App =E-Lock
Assured OfficeCAM-enabled
Passing Certificate
E-Lock Assured Office verifies the signature• Verifies the document has not been changed• Verifies the validity period of the certificate• Once verified, the certificate is sent to the CAM for certificate validation to ensure that it has not been revoked
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Bridge CA vs. Shibboleth
• PKI is hard to deploy to end users
• Shib should use BCA aware PKI between servers
• Club Shib will then scale using Policies and
Relationships established by Bridge CA world
• ONE Club Shib managed by policy
• Java 1.4 is Bridge aware. Whistler supposed to be.